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Abstract 

Quantum key distribution (QKD) is a provably secure way for two distant parties to establish a common secret 
key, which then can be used in a classical cryptographic scheme. Using quantum entanglement, one can reduce the 
necessary assumptions that the parties have to make about their devices, giving rise to device-independent QKD 
(DIQKD). However, in all existing protocols to date the parties need to have an initial (at least partially) random 
seed as a resource. In this work, we show that this requirement can be dropped. Using recent advances in the helds 
of randomness amplihcation and randomness expansion, we demonstrate that it is sufficient for the message the 
parties want to communicate to be (partially) unknown to the adversaries - an assumption without which any type 
of cryptography would be pointless to begin with. One party can use her secret message to locally generate a secret 
sequence of bits, which can then be openly used by herself and the other party in a DIQKD protocol. Hence, our 
work reduces the requirements needed to perform secure DIQKD and establish safe communication. 


1 Introduction 


Within the advancing quantum information technologies, quantum key distribution (QKD) is arguably the techno¬ 
logically most advanced field and has already entered the market with working product solutions. In this quantum 
cryptographic protocol, two parties usually named Alice and Bob exploit the laws of quantum physics to produce a 
shared random key that remains unknown to the rest of the world and which can then be used as a one-time pad in a 
classical cryptographic scheme m- 

The security of entanglement-based QKD protocols relies on the violation of a Bell inequality Q using pairs of 
quantum entangled particles shared by Alice and Bob. Remarkably, it has been shown that such entanglement-based 
protocols allow device-independent QKD (DIQKD) ||^|^, in which the two parties need not make any assumptions 
about the inner workings of their devices, in particular the source that produces the systems which the parties measure 
as well as their own measurement devices. In principle, the measurement apparatuses can be bought from an untrusted 
party, the eavesdropper Eve, and the particle pair source can even be operated by her (as long as, for example, there 
are no hidden transmitters in the devices). Alice and Bob can still extract a secret key by sufficiently violating a Bell 
inequality. However, they are required to have access to a certain amount of randomness which they use for their 
setting choices This is related to the fact that no Bell inequality can be derived without the ”freedom-of-choice 


assumption” |10|. 

For long messages, Alice and Bob need many settings to produce a key long enough, such that it becomes infea¬ 
sible to invent their own random sequences bit by bit out of their heads. Hence, their settings need to be produced 
by some sort of fast device. Such a random number generator and its corresponding randomness must be considered 
a resource in the protocol. However, it is impossible to verify that any given random number generator is not de¬ 
termined by some underlying mechanism which is simply unknown to the user but not to the eavesdropper. Clearly, 
Alice and Bob should not buy their randomness generators from Eve. Therefore, in some sense, the assumptions in 
DIQKD are contradictory. While one does not trust the measurement devices, one trusts the random number genera¬ 
tors used for the setting choices. Recent developments (e.g. regarding the Dual Elliptic Curve Deterministic Random 
Bit Generator) have shown that this trust can be problematic pT| . 

It is indeed possible to reduce the amount of required initial randomness via randomness amplification and ex¬ 
pansion. These protocols exploit quantum correlations also in a device-independent way 112 1^. The former field 
studies how, given a source of imperfect randomness which is partially correlated to the external world, one can 
produce a short string which is completely uncorrelated and safe. The latter studies how, given a finite amount of 
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perfect random bits one can produce a longer (potentially unbounded) random bit string. Both of these processes have 
been generalized recently to achieve unbounded random strings from finite min-entropy sources 115 1^. However, 
both protocols require an initial (at least partially) random seed, and there is no apparent way of getting around this 
assumption if one wants to stick to the device-independent scenario. 

We define a completely DIQKD (CDIQKD) protocol to be one which is not only device-independent regarding 
the measurement apparatuses and the pair source but which also does not need to make any assumptions about the 
setting generators or initial random seeds. It seems that this is an impossible task. The QKD community has been 
working within the paradigm that if not at least one of the parties does not have an initial (at least partially) random 
source, then sending safe messages is not feasible. 

In this paper, however, we show that the obstacle is surmountable and that CDIQKD is indeed possible. The 
solution lies in the observation that Alice and Bob do not really need their settings to be random with respect to the 
whole universe. They only need randomness with respect to Eve. Therefore, having a string which is random to 
Eve and the devices used in the protocol is sufficient, even though the string is not random with respect to an honest 
party like Alice. And there is one thing, which is random to Eve due to the fundamental underlying assumption in 
cryptography: the message X which Alice wants to send to Bob. Without this trivial assumption - so basic that it 
usually is not even mentioned -, there is no reasonable cryptographic task in the first place. 

Our procedure seems counter-intuitive and risky, but in this paper we give a proof of principle that it is secure. In 
the following, we will show that Alice can use her secret message to locally generate a secret sequence of bits, which 
can then be used by herself and Bob as the settings in an entanglement-based QKD protocol. 


2 Background and Assumptions 

We will work with the standard QKD assumptions which, for the sake of clarity, are listed below. 


Quantum Key Distribution Assumptions: 

1. Shielding. A no-signaling condition is imposed on the components of each device, as well as between devices in 
both parties’ laboratories. 

2. Authenticated classical communication channel between parties. This is not assumed to be secure, i.e. any classical 
communication is accessible to Eve. Eurthermore, we consider this authenticated channel to be available to the 
parties as a black box resource, that was for instance previously established using a secret key. 

3. Restriction to quantum theory. The adversary can only prepare devices following the laws of quantum mechanics. 
In particular, she does not possess arbitrary no-signaling devices. 

4. Message with randomness. Alice possess a message A! with k min-entropy with respect to Eve and the devices, 
and can estimate this value, k needs to be sufficiently large. 

These are the fundamental assumptions, without any of which the protocol could not guarantee security. Eor 
example, without assumption 1, there could be a transmitter in the devices telling Eve everything that is going on 
in the laboratories (including the secret message), or Eve could manipulate the devices externally. Eurthermore, the 
protocols work assuming a Bell inequality was violated for which the components of the physical devices must not 
communicate, which for example, could be enforced by a spacelike separation. Assumption 2 is needed to avoid 
the “Man in the Middle” attack, even though this classical channel is accessible to the adversary. In the present 
work we consider the channel as a black box resource, see the Discussion for an elaboration. Assumption 3 may 
seem restrictive at a mathematically fundamental level, but this is also a standard assumption for security proofs 
such as in |[7 181, since super-quantum correlations have not been observed experimentally. Einally, our main 

assumption is that Alice’s message A has some conditional min-entropy with respect to Eve and the devices, and that 
Alice is able to estimate this value. We argue that this is a sound assumption (and indeed usually left implicit), since 
if the message was not at least partially random to Eve, then performing a QKD protocol would lose all its point to 
begin with, as was already suggested in the concluding remark of p9| . 

In this article, we think of conditional min-entropy H^m operationally. If we have the classical quantum state 
PXE = Hx Px{x)\x){x\ <8> p^, classical over X and quantum over E, then the probability that party E correctly 
guesses the value of the random variable X is: 


Pguess 


{X\E) = Y.Px{xMFxpI] = ‘I 


-H^AX\E), 
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where {F^} is the optimal POVM on E 120|. In words, this means that the min-entropy quantifies how much of the 
string X is unknown to system E. This is the standard way of quantifying randomness, by which we mean how much 
of a variable is unpredictable to a third party. In that sense, the “most random variable” X corresponds to the uniform 
distribution Ux which is completely independent from everything else. In that case the min-entropy is simply the 
number of random bits, H^in{X\E) = |X|. 

By Randomness Extractors Ext(/c,e), we refer to deterministic algorithms, which take a source X with min- 
entropy k, together with a uniform random seed of length d, to produce an output of length m, which is an e-distance 
from the uniform distribution. We shall use Trevisan’s extractor |211, which was proven to be secure against quantum 
adversaries in fT^ , following the works of [22 231. See Appendix B, for a rigorous treatment. 

A powerful observation which we will also need is the Equivalence Lemma from p6| . The lemma states that the 
security of protocols using perfectly random strings depends on these strings being perfectly random to the devices, 
and requiring perfect randomness to both the devices and the adversaries is not necessary. This is formally stated 
in the appendix as Lemma A. 1. Since we are assuming that Eve doesn’t signal to the devices, the important thing 
then is that the devices are not preprogrammed to receive certain inputs. If during the protocol Eve learns more about 
what random seeds Alice and Bob will use, then even if she adapts her eavesdropping strategy she cannot gain any 
advantage, so long as the devices were distributed beforehand. 

Chung, Shi, and Wu devised a protocol which can amplify any finite source with min-entropy k, by using Tre¬ 
visan’s Extractors Ext(A:,e) 1161. They coined this procedure Physical Randomness Extraction, because they rely on 
physical procedures which extract randomness in a secure manner through Bell tests. Their solution is to use Ext(/c, e) 
on the min-entropy source with all 2^^ possible seed strings of length d, and feeding each hashed output to different im¬ 
plementations of the physical extraction protocol (which here will be a randomness expansion protocol). By different 
implementations, we mean using new devices on each run of the physical protocol as to guarantee each input is really 
random with respect to the devices to be used (i.e. there aren’t any memory correlations between implementations). 
See the first part of Eigure 1. 

Eor expansion, we will use the recent protocol by Miller and Shi 1151 (abbreviated as MS), which by itself gives 
cryptographic security in the output and is robust to noise. This protocol, together with the Equivalence Lemma can 
take a min-entropy source and produce unbounded expansion with only 2 untrusted devices. Eollowing |[^ 161 we 
treat a device D as a black box, with which the experimenter can interact classically. Each box D will consist of t 
spatially separated (no-signaling) components which will play an XOR non-local game. Hence, the number t will 
depend on the nonlocal game to be played (e.g. for CHSH t - 2, and for GHZ t = 3). See |24| for an exposition on 
XOR games. 

Currently, different DIQKD schemes exist that could work with our protocol. Choosing which one to implement 
is a matter of taste, since different Bell inequalities have different advantages. Eor example, the protocols are 

robust against a constant fraction of noise, while p5| is even safe against no-signaling adversaries. What is common 
in these schemes though, is that at least one of the parties must have access to an additional source of randomness. 
Given that we would like our CDIQKD protocol to be noise tolerant, we propose to use one of To our 

knowledge, these are the only available protocols which are secure against quantum adversaries, possessing quantum 
side information. 

The last concepts we need to introduce are the security parameters. The completeness error Ec bounds the proba¬ 
bility that we reject an honest implementation of the protocol, P[Reject] < The soundness error Eg quantifies how 
random fhe oufpuf Z is if we choose fo accepf if. To see how, consider general oufpuf slates which are decomposed as 
<1> o r£;[/9] = |Acc)(Acc| 0 ® ^^XDE ’ where 4) is fhe quanlum channel of fhe protocol, and Tg is 

an arbilrary quanlum channel on Eve’s syslem. We require lhaf Ihere exisls a slale ^ such lhal iz'xE ~ ® ixE and 


■ \^z^XE ~ ^z'xeW - ■ Here, is fhe subnormalized oufpuf after fracing ouf fhe devices D, and Uz = is the 

uniform distribution. Most of the time though, we will just talk about the security parameter 6 = max(ec, Eg), which 
represents the worst error in both possible interpretations of the word error. 

The error tolerance parameter, or noise level, rj, parametrizes how an actual implementation of an untrusted 
device deviates from an honest one. That is, it is the maximum ratio of game rounds for which we observe an error 
(so that the observed correlations are not according to the optimal winning strategy). 


3 Key Distribution Protocol 

Eor convenience, we divide our CDIQKD protocol into two parts: Randomness Processing and Key Distribution. The 
randomness processing part (which takes place entirely in Alice’s laboratory) consists of taking Alice’s message X 


3 












Randomness Processing Protocol 


Exl(A:, £)J—> { W(, ] —>1 MS Expansion |— > {^o ] — 
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Figure 1: (Color online) Schematic Representation of the Protocol. An n-bit Message X is fed into Trevisan’s Extractor with 
all possible seeds S of length d, which in turn is used to run the Miller-Shi protocol for expansion. Finally, these outputs are 
summed (modulus 2) to obtain the random seed Z used for the DIQKD scheme. 




Figure 2: (Color online) Representation of the MS Expansion protocol, used within the Randomness Processing Protocol. By 
cross feeding the outputs of the devices to each other, Alice is able to obtain the unbounded random string Z. 


as a seed to create a string of random numbers Z which will be used in the Key Distribution Scheme (e.g. to choose 
measurement bases, which bits to compare and test the Bell inequality on, or which hashing function to use). 


Randomness Processing Protocol: 


1. Alice lists all possible bit strings {Sq, Si, ..., S2d_i) of length d. 

2. Alice processes her message X with Trevisan’s extractor, using all 2^ strings Si as possible seeds. Call the outputs 
Wi = Ext[X,Si\. 

3. Alice performs the MS unbounded randomness expansion protocol in parallel, on each Wi, and using different 
devices. The output of each expansion run is labeled Zi. 

4. Z = @i Zi 


The actual size of d = \Si\ and m = iWjl are specified in the next section. 

The randomness processing protocol to be used, is the composition of the protocols proposed by 1161 and 1151, as 
is depicted in Figure 1. The ideal objective of the protocol is to obtain a random string Z, independent from the input 
message X, such that \Z\ » \X\. In fact, the expansion protocol used allows us to make the output Z unbounded, so 
that Alice can be confident she will have enough random bits to feed the DIQKD protocol. 

The MS-expansion protocol uses the concatenation of two devices to achieve unbounded randomness expansion 
| [T5) . As seen in Figure 2, an input random string Xq is fed into the first device and produces an output string Xi 
which is longer and contains more min-entropy than the input. Then, string Xi is fed into the second device, producing 
output X 2 which is also longer and contains more min-entropy than its corresponding input Xi. In this fashion, it is 
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Figure 3: (Color online) Space-time scheme of a QKD protocol without initial randomness. From her secret message X, Alice 
has already established a sequence Z of bits Zi unknown to Eve. Eve sequentially sends pairs of particles labeled with 2i-l and 
2i {i= 1,2,...) to Alice and Bob, respectively. Once Bob confirms he received particle 2i, Alice sends the bit Z 2 i to Bob, which 
he uses as a setting. Alice uses 22^-1 for her own particle. 


easily seen that alternating between the two devices, the random strings {Xj} keep prolonging monotonically, and 
Alice is free to repeat this protocol as many times as possible to achieve unbounded expansion. 

One may note however that in between device uses, the output must be processed through Trevisan’s extractor, 
which provides security against quantum side information. Since the extractor requires two inputs, in reality not all of 
string Xj is fed into a device. Rather a part of it is kept to seed the extractor, which will operate on the raw expanded 
output of the device. Afterwards, Alice may choose to run the expansion on the whole string Xj+i, or directly use 
some of the bits as an output sequence (as depicted in Figure 2). 

The specific expansion protocol used to obtain the longer and more random output Xj+i, from the shorter input 
Xj is given in Appendix C. For the moment, let’s assume that Alice is running the protocol based on the GHZ non¬ 
local game, and that the size of her desired output is Then, Alice will feed N different inputs into 

the components of her device which are in charge of violating the GHZ-Bell inequality. The majority of the time 
Alice will use a predefined inpuf for her device’s componenfs (say 111), and record fhe oufpuf of fhe firsf componenf 
(fhese are fhe so-called generating rounds). However, in order fo be sure fhaf fhe componenfs are indeed oufpuffing 
random sfrings, Alice needs fo run sfafisfical fesfs on her device. For fhis, she will selecf a random subsef of fhe N 
inpufs fo acfually “play” fhe GHZ game - i.e. fhe inpufs fo fhe device componenfs are chosen af random from fhe 
sef {111,100,010,001}. The GHZ game is won if oi © 02 © 03 = xi a 0:2 ^ a ^3 , where fhe a* are fhe oufpuf of 
fhe componenfs, and fhe xi fhe corresponding inpufs. If during fhese game rounds, fhe device loses more offen fhan 
allowed by fhe error tolerance paramefer (optimized lafer), fhen Alice aborts. Ofherwise, she now has a new random 
siring Xj+i which has more min-enfropy fhan whaf she sfarted wifh. 

Finally, Alice will have a fully secref siring Z wifh respecf fo Eve. If fhe securify of fhe siring is high enough, 
fhis can be used fo implemenf fhe now sfandard protocols of ||7j[^ or even fhe new QKD profocol of | |T5| . However, 
if is fypically assumed fhaf bofh Alice and Bob have access fo RNG’s or initial randomness. Now, only Alice has 
randomness available, and she musf publicly broadcasf fo Bob whaf fo measure. One way for fhis fo be secure, would 
be fo require fhaf Alice and Bob were already sharing all enfangled pairs from fhe sfarf. A way around fhis would 
be for Alice fo waif unfil Bob has received his device (i.e. parf of fhe enfangled pair), and afferwards Alice would 
broadcasf Bob’s corresponding measuremenf seffing (see Figure 3). This eliminafes fhe need of fhe vasf quanfum 
memory of fhe former approach. Whaf is needed is fhaf fhere exisf quanfum sfafes and measuremenf seffings such fhaf 
each sfep in fhe profocol would be passed by honesf parties, which bofh approaches possess. 


4 Security Analysis 


In fhis section we analyze fhe securify of fhe profocol. Our sfarfing poinf is fhaf Alice holds a message of lengfh n 
fhaf she wanfs fo communicafe fo Bob, and said message has min-enfropy k (condifioned on Eve and fhe devices). 
Eor fhe profocol fo work, if is parf of fhe assumpfion fhaf Alice can esfimafe (lower bound) fhe value k, which is also 


a commonly implied assumpfion in ofher protocols such as 112 15 161. 


Of course all of fhe sub-profocols we are utilizing here have been proven secure by fheir corresponding aufhors, 
buf fheir composifion is a non-frivial fask. Also, fhe poinf of view we fake here is fhaf Alice has no furfher access fo 
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randomness, so there will be a lower bound for the security parameters (since these are functions of k, and it is finite). 
We also note that since this is a proof of principle, the requirement of exponentially many different devices that arises 
from the scheme of Chung, Shi, and Wu is something we do not intend to improve, and we rest content with having a 
finite amount of devices. 

The first part we analyze is Trevisan’s Extractor, proven to be secure against quantum adversaries [18 21-2^. 
This will create an output of size m < k an e^-distance from uniform. The following Lemma gives a bound on the 
error and seed length needed. For an explicit and detailed proof, see Appendix B. 

Lemma 4.1. Trevisan’s Extractor 

For a message X with min-entropy k, 0 < m < k, there exists an m-bit quantum proof extractor Ext(k, £t), using a 
seed of length 

^2 log(4m) 


d={7 + k- m + log \X\y 


In 2 


and with error 


£T 




(4.1) 

(4.2) 


For analyzing the security of Miller and Shi’s expansion protocol, we must choose a nonlocal game to be played. 
In what follows we shall use the GHZ game, with f = 3. Besides having a large quantum-classical gap and having 


an optimal strategy that wins with probability 1, both 115 271 have considered it for their analysis. Concretely, there 


exist carefully optimized parameters to implement the Miller-Shi unbounded protocol with a uniform seed, such that 
the security parameter decreases exponentially with the seed length m: 


£ms = 2 


Oi—m 


(4.3) 


with constants (3= 31328, and a = 120,931. See Appendix C for further details. 

It is interesting to note that while the expansion error sms decreases exponentially with the input length m, the 
error of the quantum proof extractor grows exponentially with the output size m. Hence, there is a direct trade off, 
and Alice must choose m accordingly to her error goals in an easy optimization problem. For simplicity though, Alice 
can take e.g. m = A:/2. 

Finally, Chung, Shi, and Wu’s main result gives the soundness and completeness errors one obtains after having 
performed extraction and expansion with each of the 2'^ seeds and summing all of the outputs modulo 2. The answer 
is a function of both the extraction and expansion error, as well as the error tolerance rj, which comes from the Miller- 
Shi expansion protocol. In particular, the security parameter 6 of the whole randomness processing protocol will be 
given by 6 = max ( ^ + 2^^ -h 2t?), using a total of 6 • 2'^ device components Jlhl. This leads us to our 


first main result (proof in Appendix D). 

Theorem 4.1. Security of Randomness Processing 

If Alice performs the Randomness Processing Protocol on her message X with min-entropy k, the output string Z is 
cryptographically secure. That is, the security parameter 6 is exponentially small in k. 

It is worth noting that there is some threshold value for this protocol k ^ 200,000, under which it will not work 
at all. This is reminiscent of the 225,000 bits of min-entropy that are needed to have unbounded expansion with the 
MS-protocol and a security parameter of e = 10“^ |271. That is, in order to achieve a fixed securify paramefer fargef 


for randomness expansion, fhe amounf of inpuf min-enfropy musf be above some fhreshold. In any case, we imagine 
k fo be large enough so fhaf fhe securify paramefer is sufficienfly small. 

Now fhaf Alice has fhe random siring Z, she is ready fo apply, fogefher wifh Bob, fhe DIQKD prolocol of eilher |[7| 
or & which have Iheir respeclive errors EcXs- For a momenf lef us assume fhaf Z is a perfeclly random siring. 


Ihen fhe Equivalence Lemma of |16| would guaranfee fhaf fhe completeness and soundness errors of fhe DIQKD 
prolocol would remain fhe same even if Eve learned mosl of Z laler on (making Ibis semanlically secure). However, 
Z has securify paramefer 6, exponenfially small in k, and Ihis will add fo fhe errors of fhe protocol (which could be 
understood as a consequence of fhe composabilify of fhe profocols p8|). Nofe fhaf fhe siring Z is indeed random fo 
fhe devices in fhe DIQKD protocol, since fhe inifial message had min-enfropy k = Hy^in{X\ED) conditioned on bolh 
fhe randomness processing devices D, and Eve (who is fhe one who polenlially will creale fhe DIQKD devices). We 
formalize Ihis in our second main Iheorem, which is proven in Appendix E. 

Theorem 4.2. Security of CDIQKD 

Let there be a DIQKD protocol which requires a perfect Random Number Generator and which has completeness and 
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soundness errors (EcEs)- Then, Alice can perform the Randomness Processing Protocol on her secret message X 
with min-entropy k, to produce a secure random output Z and perform CDIQKD with errors (Ec + (5, £« + 5), where 
S = 


5 Discussion 


We have shown that even in the absence of randomness generators, Alice can securely perform DIQKD. This is 
indeed a remarkable fact, since it is commonly assumed that without initial randomness no security can be achieved. 
In this article, we have made a proof of principle based on the assumptions given. Note however, that our protocol 
still required the use of a classical authenticated channel which traditionally is established using a shared secret key 
between the honest parties. At first sight this seems to call into question the result of this paper. However remark that 
the authenticated channel does not have to be established each time the parties wish to send a message to each other. As 
stated in Assumption 2, we consider the authenticated channel to be a black box resource, that the parties could have 


established a long time in the past. A shared arbitrarily weak key suffices for this task, as shown in |291. Traditional 


DIQKD relies on a further assumption, namely that the parties hold private secure random number generators, which 
they use to obtain inputs for the protocol. The security of the output randomness of these RNGs could be subject 
to question especially if these were prepared by an external adversary. The issue this paper addresses is therefore 
the removal of this crucial assumption in a fairly general framework for DIQKD. Finally, a secret key shared by the 
parties could replace the message in the presented protocol if it is of sufficiently high min-entropy. 

We leave further generalizations and optimizations for future work. For example, we conjecture that our scheme 
can be simplified to use a significantly smaller number of devices and that it can be generalized to be secure against 
no-signaling adversaries also, leading to drop the validity of quantum mechanics as an assumption. 
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Appendix 


A Definitions and Notation 


In this section, we formalize some important definitions, which were just mentioned conceptually in the main text. 
Throughout this whole article, as is common in information science, log(x) = log 2 (x). 

Definition A.l. Conditional Min-Entropy 

Let pAB ^ T^{T~Ia ® T~Ib), the min-entropy of A conditioned on B is: 

Hmin{A\B)p^g = max{A e R : 3 as e V{Hb) s.t. pab < 2 “^ 1 a ® ctb} (A.l) 


Here, V{'H) represents the set of density matrices in Hilbert space T-L. For the completeness and soundness errors, 
we use the definitions given by 1161, since our security parameter is based on the maximum of these quantities. Before 
that, we must specify what is meant by a physical system. 


Definition A.2. Physical System p6^ 

A physical system S is defined on an arbitrarily large, but finite Hilbert space X ® D ® E, with a classical source X 
of length n with k min-entropy, t untrusted devices D = (Di ,... ,Dt), and an adversary E. To each device Di there 
corresponds a quantum interactive algorithm A . that applies on Di which outputs at most m bits. 


Usually this is also called an (n, k, t, m)-Physical Source, where in our scenario the min-entropy k the message 
has is conditioned on both E and D. Hence, a physical system S is specified by a state pxDE and the algorithms the 
devices will follow {A/).}, but the latter are usually irrelevant for the security analysis. 

Any randomness processing protocol (e.g. for amplification or expansion) can be viewed as a quantum channel 
<1> : V{X®D) ->• 2?(O0Z0A0iA), also calledP/jy5/cfl;//?fl;ndomne55£'xtractor5 (since they act on physical systems). 
The new Hilbert spaces O ® Z are for a decision bit o which will tell us to accept or reject the implementation of the 
protocol (if e.g. the Bell test was not passed with confidence), and the new output random string Z. If the physical 
randomness extractors require perfectly random inputs, i.e. they are designed to work on (n, n, t, m)-physical systems, 
they are called Seeded Physical Randomness Extractors. 

Definition A.3. Completeness Error 

There exist honest devices D = {Di ,..., Dg) with internal state ao and algorithms {A^i.}, with each device out- 
putting at most m bits such that for any (n, k, s, m)-physical system S satisfying trxsip] = Pd = ^D> have 


P[Acc(/9)] > 1 - ffc 


(A.2) 


Where Acc{p) denotes the event that the protocol accepts on the input state of the device and source supplied to the 
physical randomness extractor, when applied to S, (i.e. o = Acc). 

In other words, this tells us that if we are using honest devices, we will accept the protocol with high probability. 
The soundness error, in turn tells us how close we are to a truly random output (i.e. a uniform distribution), conditioned 
on accepting the protocol. 

Definition A.4. Soundness Error IHWj 

Suppose the physical system S is equipped with a decision bit O, then the projection of the output <h[/9] to the 
Acceptance subspace is at most an Eg distance away from a state of the form Uz ® ^XE conditioned on accepting, 
where ^XE A some classical quantum state. General output states are decomposed d> o rE[/9] = |Acc)(Acc| 0 
^XDE 0 (y^x£,^, where T^ is an arbitrary quantum channel on Eve’s system. We require that there 

exists a state ^ such that = Uz ® ^XE tmd 

IW'zxE ~ ■Cixsll ^ (A.3) 

Where cfi^xE A subnormalized output after tracing out device D, and Uz = 1 jT the uniform distribution. 

An important result which we will need for our analysis, which has to do with physical randomness extractors, is 
the following lemma: 



Lemma A.l. Equivalence Lemma [16] 

Let ^ be a seeded physical randomness extractor, with seeds X which are perfectly random to both Eve and the 
Devices (i.e. Hmin{X\DE) = n), have parameters {es,Ec, p)- Then the same physical randomness extractor when 
applied to an input which is perfectly random to just the devices (i.e. Hmm{X\D) - n) will have the same parameters 
{£s,£c,v)- 

The moral being, that the crucial thing is that the input is random to the devices used. 


B Quantum Strong Extractors 


In this section, we analyze the security of Trevisan’s extractor from reference 1181, to prove Lemma 4.1. We begin 
with a formal definition of a quantum-strong extractor. 


Definition B.l. Quantum Proof Strong Extractor 

Ext:{Q, 1}” X {0,1}'^ {0, 1}^ , is an m-bit quantum proof {k, e)-strong extractor, if for all states pxE classical on 

X with El min ^ k, and a uniform seed Y of length d, we have: 

2\\PExt{X,Y)YE - Um ® Py ® Pe\\ ^ E (B.l) 

With II • II the trace-norm, and Um the totally mixed state in . 


The classical version of this definition ignores the quantum state E and uses the variational distance in equation 
(B.l). Explicitly, a (/c, e)-5frong extractor satisfies ^\\Ext{X,Y)oY -Um°Y\\ <e. The main fheorem of 1181 relafes 
fhe securify of 1 bif (fe, e)-sfrong exfracfors fo m-bif exfracfors which are quanfum proof. This is done via means of 
weak {t, r)-designs, which are jusf families of parfioning sefs - ofherwise irrelevanf here. 


Theorem B.l, Trevisan’s Extractor is Quantum Proof (Theorem 4.6 of 

Let C ■ {0, 1}” X {0, 1}* ^ {0, 1} be a (k, e)-strong extractor with uniform seed and Si,..., Sm <= [d], a weak ft, r)- 
design. Then 3 an extractor Extc '■ {0,1}"' x {0,1}'^ {0,1}™", which is a (k + rm + log{lIquantum 
proof strong extractor. 


The existence of such weak designs is given by p^ . 

Lemma B.l. Existence of weak (t, l)-designs (Lemma 17 q/)[22]/) 

Vt, m e N, 3 weak ft, l)-design Si,..., Sm [c(] such that d = t\ j^][log(4m)]. Eurthermore such a weak-design 
can be found in Poly{m, d) time and Poly(m) space. 


For fhe l-bif exfracfor C, we will use list-decodable codes -again, for our purposes all we require is fheir existence 
and fhaf fhey can be found efficienlly. This was implicifly proven by pi||22||, and explicifly sfafed in fTSl Theorem 
C.3. 


Lemma B.2. List Decodable Codes are 1-bit Extractors (Theorem C.3 oflfT^) 

Let C ■ {0, !}”■ {0,1}*^ be an (£,L)-list decodable code. Then 3 Extc • {Oj 1}” ^ [fi] {0)1}> which is a 

(logL + log (^) , 2£)-strong extractor, created from code C. 

Finally, we need an exisfence fheorem for lisf decodable codes. 


Lemma B.3. Existence of List Decodable Codes (Lemma C.2 of Theorem 24 o/f|30|/) 

Vn e N, and e > 0, 3 a code Cn,e ■ {0,1}"^ ->• {0,1}" which is (e,l/e^) list decodable. Eurthermore h can be 
assumed to be a power of 2, and satisfies the bound n < “32711 e^. The code Cn,e can be evaluated in Poly{n, 1/e) time. 


Wifh all of fhis in mind, we are ready fo prove Lemma 4.1. This is an analogous resulf fo Corollary 5.3 of 
and p7| has also made a similar analysis. 


Lemma B.4. (Lemma 4.1 from main text) 

Eor a message X with k min-entropy, m < k, there exists an m-bit quantum proof extractor Ext(k, et), using a seed 
of length 


d={7 + k- m + log l^l)^ 


log(4m) 
In 2 


(B.2) 


and with error 


(B.3) 
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Figure 4: Schematic diagram for the proof of Lemma 4.1. 


Proof. Lemma 4.1 

To facilitate the proof of this lemma, which involves many different concepts and parameters, we refer to Figure 4. 
Notice that the notation is slightly different from the statement of the lemmas, to make it more consistent throughout 
the proof. 

We take n to be a power of 2, n = 2^ Next, we create a (5,1/5^) List-Decodable Code from Lemma B.3, so that 
we are guaranteed the existence of a 1-bit (Slog (^) -i- 2,2(5)-strong extractor C : {0,1}” x {0,1}* ->• {0,1}, with the 
help of Lemma B.2. We consider the worst case (saturated) bound on n: 


n ■ 


32n 


f = log 


(^) 


(B.4) 


Equipped with this 1-bit extractor, we shall now use Theorem B.l to create an m-bit extractor which is quantum 
proof. Direct application of the Theorem yields a (4 log (^) -i- m -i- 2,3m\/^)-quantum proof extractor. We want the 
final error of the extractor to be e, hence we take 5 = to get a quantum proof (Slog (™)-i-m-i-2-i-81og3, e)- 

strong extractor. Now, in order for this extractor to work, we need the min-entropy of the input message to satisfy 
k > 81og(y) + m -I- 2 -I- 8 log 3. Manipulating this inequality gives us the minimal error the output of the extractor can 
have. 

2+m—k 

e > 3m2 s (B.5) 

Finally, the t from Equation (B.2) is the same appearing in Lemma B.l, related to the (f, 1) designs. Since we 
are bounding the number of devices (and hence seed length), we will ignore the ceiling operators from Lemma 
B.l, which in the limit of large t and m will be negligible. Hence, the seed length for Trevisan’s extractor will be 
d = log^ iog{4m) substituted in the value for <5). If now, we take the lowest bound from Equation 

B.5 for the error e we obtain 

d={7 + k-m + \ognf (B.6) 

^ ^ ln2 

It is interesting to note that the error e only depends on m and k, having a direct trade off between the available 
min-entropy and how large of an output we desire. Meanwhile, d depends on all parameters but the term k - m has 
opposite sign, showing qualitatively that the error and seed length are inversely related. □ 


C Randomness Expansion 

In this section, we explicitly analyze the protocol that we are using for expansion, namely the one given by Miller 
and Shi p3| . In particular, we choose this protocol since it provides cryptographic security, i.e. the error parameters 
are exponentially small and are negligible in the running time of the protocol. It also tolerates a constant level of 
noise, where e.g. it was shown that any device which wins the GHZ game with probability at least 0.985 will achieve 
exponential randomness expansion with probability approaching unity. Finally, and very important for us, with the 
Equivalence Lemma (as given by p^ ) this is able to produce unbounded expansion using only two devices - by 
realizing that the expansion protocol is indeed a physical randomness extractor. 
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In what follows, for simplicity, we will restrict the protocol to playing the GHZ game where the optimum quantum 
strategy wins with probability 1, and will refer the readers to 1^27 1 for the generic version. 

The unbounded protocol, is just a concatenation of their one-shot protocol, so we provide the latter here. For that, 
we need to define the variables needed: e N, is the output length, rj € (0, |) the error tolerance, denoting how 

much of a statistical error the components are allowed to make relative to the optimal winning strategy’s expectation, 
and q e (0,1) the test probability which denotes the chance a given round will be a game (Bell) round. The protocol 
is then: 


1. A bit <7 is chosen according to the distribution {1- q,q). 

2. If p = 1 (’’game round”), then an input string from {111, 001,010,100} is chosen at random to play the GHZ 
game. If the GHZ game is won then output 0, else output 1 and record ’’Failure” F. 

3. If S' = 0 (’’generating round”), the string 111 is used as input on the device D = {Di, D 2 , D^). Record the 
output of the first component Di. 

4. Repeat steps 1-3, {N - 1) more times. 

5. If the total number of failures F exceeds rjqN, the protocol Aborts. Otherwise, the protocol Succeeds, and the 
output A^-bit sequence is recorded. 

In general, the one-shot protocol as given above can (for the right choice of parameters tj, q, N) provide an output 
which is e-close to having {1 - 6)N min-entropy for any choice of <5, and s exponentially small as a function of N. 
Gross and Aaronson have optimized over the parameters {p, q, N) and given a bound on the initial seed length needed 
to get unbounded expansion p7| . In particular, they display a linear dependence on log(l/e), giving the actual slope 
to be /3 = 31328. Then, they state that the upper bound on seed length needed to get security of e = 10“^ is 225,000. 
From this, simple substitution gives a < 120931, and hence Lemma 4.2. We note that they also give a bound of 
715,000 bits needed to achieve £ = 10~®, but this gives a lower value of a (= 90,584), so we conservatively kept the 
upper bound. For asymptotic statements, these constants are irrelevant so long they remain positive. 


D Security of Randomness Processing 


In this section, we follow the analysis of 1161, to prove the security of our randomness processing protocol, as given 
in Section 3 of the main text. 

Hence for our analysis, the following theorem is crucial. 


Theorem D.l. Chung-Shi-Wu Theorem ( [76] / 

Let < p < \ be the error tolerance parameter. Let X be an n-bit string with k min-entropy. Let Ext{k,£T) '■ 
(0,1}” X {0, l}*^ ^ (0,1}™, be an m-bit quantum proof extractor, with seed length d. Let there be a protocol <I> (also 
called physical randomness extractor), which takes a perfectly random seed of length m to produce an output random 
string z, together with a decision bit, with completeness error and soundness error e^. If for every Si e (0,1}'^, we 
perform <I>[i7a;f[X, 5j]] = Zi, (Ext(X,Si\ being Trevisan’s extractor applied on string X using seed Si), then the 
protocol producing the output string Z = ® Zi has: 

Completeness Error 
Soundness Error Eg + 2^/er + 2p 

provided less than an p-fraction of protocol applications were rejected. 


This is the exact form of the randomness processing protocol that we have given in the main text (Figure 1), 
where <I> will be Miller and Shi’s unbounded expansion protocol. We will take the MS-expansion security parameter 
£s = £c = £ms given by p7] |. Here, we are still left with our errors as functions of m , A: , and now (from the previous 
theorem) p. To have a bound on the security parameter, we will find explicit functions for m and p, depending only 
on Alice’s min-entropy k. We thus have all the ingredients to prove Theorem 4.1. We note however that since this 
article focuses on a proof of principle, the following proof is done such that it is clear to follow at the expense of not 
choosing the most optimum coefficient for the exponential decay in the security parameter. 


Theorem D.2. Security of Randomness Processing (Theorem 4.1) 

If Alice performs the Randomness Processing Protocol on her message X with min-entropy k, the output string Z is 
cryptographically secure. That is, 3 a constant 7 > 0 such that the security parameter is 6 = O 


11 






Proof. Theorem 4.1 

We begin by writing the error parameters that arise from the Trevisan Extractor as et = and the one 

from the Miller and Shi expansion protocol as ems = C3 for some constants ci, C2, C3, C4. Where k is the min- 

entropy of the message X, and m is both the output length of Trevisan’s Extractor, and the input size of the expansion 
protocol. Eor simplicity, we shall take m = kl2, which yields as errors: 


Et 




£ms = C3 2 2 ^ 


(^-^^,eMS + 2^ + 2r,). 


Erom the Chung-Shi-Wu theorem D. 1, we have that the security parameter 6 = max | 

So we will take rj = 2“"^, with a suitably chosen a. To make the security parameter as small as possible, we must 
choose a large enough so it does not dominate the soundness error but we see that this will bring a trade-off with the 
completeness error. In fact, from the completeness error, we have: 

^MS + £t ^ 
rj 2 


+ C3 2 


-(f-a)fc 


This requires that 2 a < min(c 2 , C4). Erom the soundness error we have: 

^MS + 2^ Et + 2 rj = C3 2 2 ^ 2 cik 2 4 ^ + 2 • 2 


-Oik 


Erom here, for the asymptotic statement, we see that we need a choice of a such that the expression 
min (y - a, Y - a, Y)«) is as big as possible, since those are the coefficients of the exponential decay. Using 
our actual values for the constants C 2 = 1/8 (from Lemma 4.1), and C 4 = 1/31328 from p7| , we see that the best is to 
take a = CijA = 1/125312. This completes the proof of the theorem, with the security parameter as <5 = O (2“'’'^) with 
7 > 1/125312 (since our choice of m < fe was the simplest). □ 

In fact, using the same values for the constants 02 , 04 , if we instead take m = and 7 = we can 

get a better 7 = 1/62672, which is almost a factor 2 better than the exponent given in the theorem. Note further that 
for asymptotic statements, for any E,a > 0, we have poly(x)e““^ = 0(e“i““*^i^), so that we essentially ignore the 
prefactors k and \/k which appear in the proof. 


E Security of CDIQKD 

In this last section, we prove Theorem 4.2. 

Theorem E.l. Security of CDIQKD (Theorem 4.2) 

Let there be a DIQKD protocol which requires a perfect Random Number Generator, and has completeness and 
soundness errors {ec,Es). Then, Alice can perform the Randomness Processing Protocol on her secret message X 
with min-entropy k, to produce a secure random output Z and perform CDIQKD with errors (Ec + (5, £« + S), where 
S = 

Proof. Theorem 4.2 

We need to check the security of the DIQKD protocol, given that Z is not perfectly random, but rather has an 
exponentially small error, 5 = for constant 7 > 0. Let pzxDE be the output state of the randomness processing 
protocol (conditioned on accepting), then the soundness error just means that \\pzxDE - Uz ® PxdeW ^ where D 
refers to the devices of the DIQKD protocol. 

Completeness: The DIQKD completeness error Ec is calculated expecting perfect randomness in the protocol. Hence 
P[Rej((7z 0 Pxde)^ ^ £c- Here Rej[/ 3 ] denotes the event that the protocol rejects upon input p. This immediately 
implies that ^\^&]{pzxde)^ < Ec + d, since the trace norm operationally corresponds to the distinguishability of 
states. 

Soundness: Let A be the quantum channel of the DIQKD protocol which produces the shared key y between Alice and 
Bob, we write to denote the action of the quantum channel upon acceptance. Let A'^“[?7^ ® Pxde] = ^y^zxdE’ 
then the soundness error is given by \\crY‘^zxE ~ ® ^z'xeW - Frorn the contractivity of the trace norm under 

quantum channels, we hsx&\\A^‘^'^{pzxDE]-® Pxde]\\ ^ Wpzxde-Uz® PxdeW ^ And by the triangle 
inequality, we have the new soundness error Wi^y^EXE ~ ^Y ® ^z^xeW ^ Es + <^, with A^'^'^Wpzxde] = '^YZXDE- 
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